CVE-2025-68783
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68783
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's ALSA usb-mixer driver for the us16x08 device. The function get_meter_levels_from_urb() parses 64-byte meter packets from the device and fills arrays for meter levels, compression levels, and master levels. The vulnerability occurs because the function derives the channel index directly from the packet without validating it. If the packet contains a negative or out-of-range channel number, the driver may write beyond the bounds of these arrays, potentially causing memory corruption. The fix involves validating the channel index before using it to update the arrays, rejecting negative indices, and limiting indices to the maximum allowed channels.

Impact Analysis

This vulnerability can lead to out-of-bounds writes in kernel memory due to improper validation of channel indices from device packets. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security.

Mitigation Strategies

Apply the patch or update to a Linux kernel version that includes the fix for this vulnerability, which validates meter packet indices in the ALSA usb-mixer us16x08 driver to prevent out-of-bounds writes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart